Please report suspected vulnerabilities privately through GitHub security advisories for this repository.

Do not open public issues for credential exposure, webhook verification bypass, or payment reconciliation issues.

• The Designer Extension must never contain MakePay key secrets.
• The backend proxy must enforce HTTPS in production.
• Webhooks must be verified before they update orders, form submissions, or CRM records.
• Restrict CORS to the final extension/backend origins before marketplace release.